Unless I’m misreading, there’s nothing to indicate why this bug applied to a mere 10,000 users–unless they’re the same folks who used the password recovery option during the affected interim and therefore their info passed through the vulnerable code.

If that’s not it I’m curious about what made this group stand a fingernail scraping above the rest.